Azure Active Directory is "as a service" offering from Azure. I have seen documentations and content from Microsoft stating that can be used for SSO and other Web application for unified auth.
Will it be possible to make use of Azure Active Directory as replacement of Windows Server AD in Azure virtual machines in Virtual Networks? I see that the Windows Server Active Directory Installation on Azure VM involves execution from powershell and stuff?
NO! Windows Azure Active Directory is NOT a Domain Controller. You can NOT join computers to Windows Azure AD. You can use it to sync on-premises AD with Windows Azure AD to easily enable Web SSO (Single Sign On). You can use to build enterprise grade web applications.
You can read more about Windows Azure Active Directory here.
Up until recently the answer was a flat no, but that has changed with Windows 10.
Windows 10 devices can join Azure Active Directory (AD) domains. But it is more about identify management than traditional Active Directory (AD) services. But you can use a combination of Azure AD and MDM (Mobile Device Management) to provide some of the services that used to be reserved for AD.
One thing to keep in mind is that Azure Active Directory (AD) is completely different than the similarly named Active Directory provided by a Windows Domain Controller. Azure AD is not a Domain Controller, but as of Windows 10 Azure AD, MDM and Intune can do some of the things that you previously could only be provided by AD. With Windows 10, Microsoft has greatly extended MDM and has made it possible to manage regular Windows 10 desktop and laptops with MDM.
The Active Directory Team Blog has more information. The post Azure Active Directory and Windows 10: Bringing the cloud to enterprise desktops! list some of the benefits that it brings including:
Self-provisioning of corporate owned devices.
Use existing organizational accounts.
Automatic MDM enrollment.
Single Sign-On to company resources in the cloud.
Single Sign-on on-premises
Enterprise-ready Windows store.
Support for modern form factors. Azure AD Join will work on devices that don't have the traditional domain join capabilities.
OS State Roaming.
This doesn't cover the traditional features provided by AD. Per the post Azure AD Join on Windows 10 devices Azure AD it targeted at the following three scenarios: Your apps and resources are largely in the cloud, Seasonal workers and Students, and Choose your own device for on-premises users. As you can see Azure AD is targeted more towards enabling BYOD (Bring Your Own Device). Azure AD enables management of devices, like tablets or non-Pro version of Windows, that don't have the capability to join a Domain.
From the same post:
Domain join gets you the best on-premises experiences on devices
capable of domain joining, while Azure AD join is optimized for users
that primarily access cloud resources. Azure AD Join is also great if
you want to manage devices from the cloud with a MDM instead of with
Group Policy and SCCM.
Azure now offers traditional Active Directory service called Azure Active Directory Domain Services. This offers domain join, NTLM and Kerboeros authentication. You can even manage machines using Group Policy.
This is possible using Azure Active Directory Domain Service (notice the difference from regular Azure Active Directory which does not have domain support)
https://azure.microsoft.com/en-us/services/active-directory-ds/
Related
I have an on-premises Windows server 2022, which is running AD DS, NPS and DHCP. I also have Azure AD subscription, where my users are located. I would like to keep my users database (AD) in the cloud, since currently, I do not have any backup solutions and it is easier for me to manage. I want to have ieee 801.x on premises, as well as VPN service. Is it possible to force the NPS to authenticate against the Azure AD, where all my users are located? If yes, how can this be done?
I know that Azure AD Connect provides hybrid integration, but from what I read, it is only one way, i.e from on-premises AD to cloud synchronization, but not the other way around.
Yes, you are correct that the synchronization is only one-way and the workarounds currently are to use use PowerShell export/import or use a third-party tool. In the NPS article you linked, the on-premises users ultimately authenticate against Azure MFA. The NPS extension acts as an adapter between RADIUS and cloud-based Azure AD Multi-Factor Authentication to provide MFA for the federated or synced users. Your cloud users would just use regular Azure MFA without needing that adapter.
The most common workaround for the user writeback scenario is to create a PowerShell script that scans Azure AD regularly, finds the users in Azure, and then creates an on-premises user with the attributes in Azure AD.
The regular user writeback feature is on the roadmap and actively being worked on though. I've asked for an update from the PG and will edit this post once it is available.
For cloud VPN options, see: Azure AD Authentication - Open VPN.
can someone explain how access management on Azure differs from local on-prem Active Directory - DC? For example, on DC and AD we can have local security groups for application authentication and authorization and for share folders, but how this thing works in Azure for their SaaS and onedrive? Does Azure have the same security groups like AD has? Where can I learn more about this specific architecture?
Thanks!
Yep, it's called Azure Active Directory (AAD). Documentation is here. You can set up groups and policies similarly to how you would in an on-prem AD.
Here's a comparison of the two.
I want to test my application deployment with Azure Windows Virtual Desktop(Preview), but we do not have azure active directory setup in my application azure deployment. As we are doing lift & shift of our existing on-premise deployment, we have created a domain controller and setup a windows active directory into it on an azure VM.
In msdn documentation for WVD setup, I found multiple steps involved the Azure Active directory. Is it possible to create a WVD setup using the domain controller?
Azure AD extends on-premises Active Directory environments into the cloud, enabling users to use their primary organizational account to sign in not only to their domain-joined devices and company resources, but also to all the web and SaaS applications they need for their jobs.
And Important part of WVD Requirement is An Azure Active Directory and domain controller in sync with Azure Active Directory.
https://learn.microsoft.com/en-us/azure/virtual-desktop/overview#requirements
What am I missing here? I'm thinking of moving my data center to Azure. I've created a corporate virtual network that has my ADs, my certificates, basically the family jewels of the company that I'm trying to build in the cloud. I've plugged up every obvious security hole that I can think of except one: the login to the Azure Portal is just a simple user id/password. If someone picked off my Microsoft Live user id, all they need is a password cracker. And a disgruntled or dismissed employee could easily cause havoc. Is there some way to lock down the portal? Does anyone in the security business think these Azure web sites are secure?
You can use Azure AD to properly secure the portal authentication. Azure AD is designed to securely authenticate applications in the cloud and it is supported by the majority of Microsoft solutions like Azure Portal. It will provide features like MFA, access control, self-service password reset, etc.
Although Microsoft Accounts also support some of these features, you can't force your users to specific policies, that's why Azure AD is important for enterprise level security.
Once you create a directory for your company through Azure Portal and synchronize your AD objects with Azure AD using the AAD Connect tool you will be able to login to Azure Portal using your corporate credentials and force users to use Multi-factor authentication or even apply other policies.
Azure Active Directory features and capabilities
Azure Active Directory Hybrid Identity Design Considerations
Integrating your on-premises identities with Azure Active Directory
Before I am going to describe my questions, I would like to tell you that I am a web developer and not a security/Active Directory or Azure specialist, so please be gentle :-)
I work for a large international financial services company. We have a global IT department that provides member firms with services that we use (Active Directory 2012).
In my member firm, we are currently considering migrating custom build websites to Azure. All the custom build websites are implemented with Kerberos and Single Sign-On using Active Directory. Some of these websites read & write information in Active Directory.
The challenge that we are facing is how we can migrate these websites to Azure whilst using the enterprise's Active Directory. I searched for detailed information about solutions available but haven't found anything that answered my questions. My questions:
What solutions are there for connecting Azure with an enterprise's Active Directory?
What are the advantages and disadvantages for these solutions?
What are the requirements for these solutions?
Perhaps there is a book/blog/whitepaper that answers my questions?
AFAIK you cannot use directly the corp AD from Azure. You must use Azure Active Directory. However, there are solution to keep the corp AD and the Azure AD in sync. For example read Connecting AD and Azure AD: Only 4 clicks with Azure AD Connect, which shows how to use Azure AD Connect to link the Azure AD with your corp AD. It will basically mirror one corporate AD forest with an Azure AD account, and keep it up to date by periodic re-sync. The net effect is that you develop your cloud apps to authenticate and authorize based on the Azure AD, but the Azure AD will mirror the corp AD. There will be a delay in propagating changes to Azure AD, eg. an employee added to the "domain\sales" group will not be allowed to access the "Sales" app for some hours until the Azure AD sync catches up with the corp AD change.